It accidentally released a MySQL denial-of-service (DoS) proof of concept in the process of fixing the same problem. In March, the company released updates to MySQL, versions 5.5.22 and 5.1.62, which referred in their changes to “Security Fix: Bug #13510739 and Bug #63775 were fixed” with no other details on the problems.

It is a common practice to keep details quiet about issues an attacker could use against older versions of software; even the bug reports for 13510739 and 63775 are not yet publicly available.

But, as security researcher Eric Romang discovered, Oracle also shipped the new MySQL versions with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in the source which appears to be not only part of the automated testing for MySQL, but also a proof of concept for the flaw which crashes MySQL 5.5.21 and earlier versions.

Romang posted the script on Pastebin, but it requires authenticated access and appropriate privileges to run which mitigates the problem somewhat.